Skip to content

nixos/etc: sanitize /etc setup script#41276

Closed
tkerber wants to merge 5 commits intoNixOS:masterfrom
tkerber:nixos/etc-sanitise
Closed

nixos/etc: sanitize /etc setup script#41276
tkerber wants to merge 5 commits intoNixOS:masterfrom
tkerber:nixos/etc-sanitise

Conversation

@tkerber
Copy link
Member

@tkerber tkerber commented May 30, 2018

Fixes #41241

Motivation for this change

Variables passed to the /etc setup script were not shell escaped. This has been changed.
I am not entirely comfortable with the use of eval to construct arrays from the sanitised input, but I haven't found a better approach to convert a string of shell-escaped arguments into an array of strings in bash.

I have tested it myself, however I am not familiar enough with nixos tests to know which ones need to be run for something as low-level as this, and I'm well aware that any change in the /etc setup could break a lot. Any advice on this?

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Mic92
Mic92 reviewed May 31, 2018
View reviewed changes
nixos/modules/system/etc/make-etc.sh Outdated
modes_=($modes)
users_=($users)
groups_=($groups)
eval "sources_=($sources)"
Copy link
Member

@Mic92 Mic92 May 31, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does the value of $sources looks like in that case?

Copy link
Member Author

@tkerber tkerber May 31, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this brought to my attention that $sources actually shouldn't be escaped, because it's a list of paths, that when escaped don't get properly imported into the store. It also means the script is passed a list of nix store paths, which are sanitized anyway.

For the others, specifically $target, assuming we have the files foo and bar baz, it would like 'foo' 'bar baz', whereas previously it was foo bar baz.

The eval is safe, as it expands to an array literal of string literals.

@GrahamcOfBorg GrahamcOfBorg added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels May 31, 2018
@tkerber
Copy link
Member Author

tkerber commented May 31, 2018

While fixing the sanitization of $sources, I realised that I'd missed the globbing section of the script. On looking into it, the globbing section is a) inherently unsanitised, and b) impossible to reach, as it requires a nix store path to have a * in it. I've gone through the history, and it seems to come from a time when the source property was not typed (i.e. could be a string). I therefore think it is safe to remove.

@tkerber
Copy link
Member Author

tkerber commented May 31, 2018
edited
Loading

Wait, sorry, it still seems to be in use! E.g. In fail2ban.

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels May 31, 2018
@mmahut
Copy link
Member

mmahut commented Aug 3, 2019

What is the status of this pull request?

@stale
Copy link

stale bot commented Jun 1, 2020

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the
    related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
    irc.freenode.net.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 1, 2020
@stammon
Copy link
Contributor

stammon commented Jul 18, 2020

I think the underlying issue has never been fixed, so somebody who is more familiar with this low level of the nixos module system should revisit it and hopefully merge it

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 18, 2020
samuela
samuela approved these changes Sep 23, 2020
View reviewed changes
Copy link
Member

@samuela samuela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like some of these changes have already made it into make-etc.sh but otherwise LGTM.

@ryantm ryantm added 2.status: merge conflict This PR has merge conflicts with the target branch and removed 2.status: merge conflict This PR has merge conflicts with the target branch labels Oct 3, 2020
@xaverdh
Copy link
Contributor

xaverdh commented Jan 8, 2021
edited
Loading

Can't we just set __structuredAttrs here and then obtain the values from json with jq?

edit: ah no jq needed, I just discovered .attrs.sh. Sadly, I also just discovered that structured attributes require support in stdenv..

@xaverdh xaverdh mentioned this pull request Jan 8, 2021
Closed
10 tasks
@FRidh
Copy link
Member

FRidh commented Jan 8, 2021
edited
Loading

you can use toJSON and pass the path to the derivation. In that case its probably clearer to rewrite this script in Python.

@xaverdh xaverdh mentioned this pull request Jan 8, 2021
Closed
10 tasks
@xaverdh
Copy link
Contributor

xaverdh commented Jan 8, 2021

you can use toJSON and pass the path to the derivation. In that case its probably clearer to rewrite this script in Python.

I went ahead with the jq appoach: #108779
doesn't look too ugly, but python would be better still ;-)

@stale
Copy link

stale bot commented Jul 8, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 8, 2021
This was referenced Jul 22, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 left review comments

@samuela samuela samuela approved these changes

Assignees

No one assigned

Labels

2.status: merge conflict This PR has merge conflicts with the target branch 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Whitespace in environment.etc target crashes nixos

9 participants

@tkerber @mmahut @stammon @xaverdh @FRidh @Mic92 @samuela @ryantm @GrahamcOfBorg